Damballa responds to Kraken exaggeration claims

A day after Damballa, an internet security company that focuses on targeted threats, announced the discovery of a new BotArmy named Kraken, the company released a follow-up statement to defend its findings after a number of security professionals questioned the validity of the claims.

The accusations claim that Damballa misrepresented the high number of attacks from Kraken. A blog on F-Secure’s website stated, “There are many detection names for ‘Kraken’: Oderoor, Bobax, Agent, and many more. We believe that there is a single group of people behind Karken, updating their malware as time goes by. It’s not new; it’s just a new generation of something older.”

Damballa refuted these comments: “Damballa’s initial disclosure says only that ‘Kraken was first observed in winter 2007, but investigation into its origins suggests the existence of early variants as far back as late 2006.’ So is Kraken new? Damballa believes it is,” a statement released by the company on April 9 stated.

Paul Royal, principal researcher at Damballa, said the heart of the issue deals with the way information security professionals identify and categorize different entities based on their available sources and their organization’s focus.

“I think a lot of people have looked at this issue from a purely malware analysis point of view,” Royal told SCMagazineUS.com on Thursday. “But people are calling it all the same thing if it has similar components or has a common author.”

The reason Damballa is calling Kraken new is because, although there are similarities between Kraken and Bobax and other threats, they use different C&C domains and communicate with the C&C in a fundamentally different way, he said.

“We’re not just looking at the binaries,” said Royal, “but also at network activity. There are two distinct entities. If the server controls for Bobax were taken down, Kraken would continue and likewise.”